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A METHOD AND APPARATUS FOR EXPOSING NETWORK 
ADMINISTRATION STORED IN A DIRECTORY USING HTTPAVebDav 

PROTOCOL 



Background of the Invention 

The invention relates generally to computers and, more particularly, to a system 
and method to extend Web content tools to netv^ork administrative services. 

10 A very popular Web (Internet) content tool, or protocol, is WebDAV. WebDAV 

stands for Web Distributed Authoring and Versioning and is currently being developed 
by the Internet Engineering Task Force. Simply stated, the WebDAV protocol makes the 
Web a collaborative, writeable medium. Today the Web is really read-only, where people 
mostly download information. WebDAV makes it possible for web users wherever they 

1 5 are, whether separated by two houses or two continents, to write, edit and save shared 
documents without scuttling each other's work, regardless of which software program or 
Internet service they are using. 

But, WebDAV goes beyond just Web page authoring. When you look under the 
hood, WebDAV is a set of extensions to the Hypertext Transfer Protocol (HTTP), which 

20 is the standard protocol that allows Web browsers to talk to Web servers. WebDAV and 
HTTP can accommodate all kinds of content, and so WebDAV can be used just as easily 
to collaboratively work on a word processing document, a spreadsheet, or an image file. 
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Anything you can store in a file can potentially be authored using WebDAV, gaining its 
advantages, 

WebDAV has three main features: overwrite prevention, properties, and 
namespace management. Overwrite prevention is critical because it allows people to 

5 avoid the "lost update problem" that occurs as changes to a document are lost when 
several authors access and attempt to edit a file at the same time. By ensuring that 
people can work together without losing their changes, overwrite prevention is the key to 
WebDAV's collaboration support. 

WebDAV's properties feature is an efficient means of storing and retrieving what 

10 is known as "metadata" information about a web document such as the author's name, 
copyright, publication date and keywords that Internet search engines use to find and 
retrieve relevant documents. Finally, WebDAV also has what's called "namespace 
management" capabilities, which enables users to conveniently manage Internet files and 
directories, including the ability to move and copy files. The process is similar to the way 

1 5 word-processing files and directories are managed on a regular computer. 

In regards to network administration tools, several tool sets exist on the market 
today. Among those tool sets, the most widely used product on the market is Novell 
Directory Services by Novell, Inc. However, other tool sets such as Active Directory by 
Microsoft based and others based on Lightweight Directory Access Protocol also exist. 

20 Novell Directory Services (NDS) is a portfolio of network administrative tools 

and a product of Novell, Inc. Novell Directory Services, often referred to as a fiill service 
directory, is a general-purpose database that manages discovery, security, storage, and 
relationships. 

Discovery enables you to browse, search, and retrieve specific information from 
25 the directory. For example, you can search for specific object types, such as, users, 

printers, and application objects, or search their specific properties such as users name, 
phone number, address, network number and so on. Discovery must support the industry 
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standard access methods, for example, the Lightweight Directory Access Protocol 
(LDAP) protocol. 

Security controls access to the all the information that is stored in the directory. 
This means that you can establish rules and grant rights to the users for the information in 
5 the directory. In addition, you can control the flow of information within your company, 
across networks of partners, and even your customers. Using the full service directory, 
you can manage the electronic transactions between companies through the cryptographic 
and key management systems. More specifically, the Public Key Infrastructure (PKI) 
available in NDS today provides security for Internet data integrity and privacy across 

10 public networks. It includes both public-key cryptography and digital certificates for 
checking the authenticity of keys used in a public session. 

Storage is the database structure for the directory. It gives you the basic ability to 
save information in the database for future reference. The database is indexed, cached, 
and guarded from data corruption by a transaction system. Besides merely storing data, 

1 5 the database allows you to automatically control the type of data by applying 

classifications to the data structures. The classifications are flexible and extensible to 
provide future representations in the database. The database can be split into physical 
pieces and distributed or placed on multiple servers. These features enable you keep a 
portion of the data close to the users and resource that need them and make multiple 

20 copies of the data for redundancy. 

Relationship is the ability to build associations between the people, network 
devices, network applications, and information on the network. For example, instead of 
storing the user's profile information on the local machine, it can be stored in NDS. The 
result is that the profile information becomes global within the scope of the directory and 

25 the user can access the profile information from anywhere. This means that the user 
receives the same profile regardless of where he attaches and logs in to the network. In 
addition, the access to the profile information is tightly controlled. The only user that can 
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gain access is the one with the proper credentials. Thus, the integrity of profile 
information is protected and secure, and the user can access it globally-easily. 

The other network administration tool sets have similar features. Although the 
combination of a network administration tool set and the WebDAV protocol would 

5 provide access to network directory structure through a platform independent 

architecture, no real combination exists today. If a combination existed, any operating 
system that has a WebDAV enabled web browser can have access to the network 
administration functions. 

Therefore, what is needed is an invention that combines both a network 

1 0 administration portfolio with the WebDAV protocol 

Summary of the Invention 

In contrast to the prior art, the present invention provides a method and system for 
extending the WebDAV protocol to network administration tool sets. To this end, the 

1 5 system and method include modifications to the set of normal method requests for 
WebDAV in order for the protocol to also manipulate network objects. 

One of the benefits of the invention is efficient administration of user rights 
through the internet without requiring software to be installed on client. Another benefit 
is that the system allows users to control rights to their personal data without requiring 

20 software to be installed on the client. This advantage will also reduce the workload on 
network administrators. Another advantage is the ability to browse to resources such as 
printers connected on the internet. Yet another advantage is that the system enables 
developers to create network administration tool set enabled applications using the 
standard WebDAV protocol 

25 In addition, the method can include: receiving a request for a manipulation of a 

first network object from a requesting user; verifying a first set of authorization 
information; translating a logical address of the first network object to a physical file 
system path; checking a local file system for validity and authorization for the requesting 
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user including determining whether the first network object is a first network object; 
verifying a usemame and a password for the requesting user; returning a first error 
message if requesting user is unauthorized to access the first network object; determining 
an object type for the first network object; and sending a response to the requesting user. 

5 The method can also include verifying that the first network object is found and returning 
a second error message if the first network object is not found. The first network object 
can be user object and the request can be to assign new rights to the user object. The new 
rights for the user can also be for another network object. The new rights can be assigned 
by dragging and dropping the user object on another network object by the use of 

1 0 interactive computer screen. 

Therefore, in accordance with the previous summary, objects, features and 
advantages of the present invention will become apparent to one skilled in the art from 
the subsequent description and the appended claims taken in conjunction with the 
accompanying drawings. 

15 

Brief Description of the Drawings 

Fig. 1 is a diagram that illustrates the elements and relationships involved in the 
preferred embodiment; 

Fig. 2 is an example computer screen that illustrates an example in the preferred 

20 embodiment; 

Fig. 3 is another example computer screen that further illustrates the example in 
figure 2; and 

Fig. 4 is a flow chart of the preferred embodiment. 

25 Detailed Description of the Preferred Embodiments 

The present invention is described with several examples given below. It is 
understood, however, that the examples below are not necessarily limitations to the 
present invention, but are used to describe typical embodiments of operation. In 
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particular, although the Novell Directory Services (NDS) is used for the preferred 
embodiment, it is to be understood that the invention could also be implemented with any 
number of the other network administration tool sets. 

Referring to Figure 1, a Novonyx Web Server 10 is shown. The Novonyx Web 

5 Server 10 is a Netscape Server that has been ported to run on NetWare servers. 

WebDAV and HTTP are shown as blocks 12 to illustrate the HTTP/WebDAV plug-in 
within the Novonyx Web Server that uses the normal method of handling HTTP request 
by passing them through a Request-Response process. The message requests themselves 
are sent via the Internet 14 from a Work Station 16 that also has a HTTP/WebDAV 

10 module 18. Both the Novonyx Web Server 10 and the Work Station 16 have TCP/IP 
modules 20 and 22 respectively, to illustrate the communication connection through the 
Internet 14. 

The NDS and File System APFs module 24 provides the method that Novonyx 
Web Server communicates to the NDS Tree 26 and the other NetWare Servers 28. While 

1 5 NDS DAV is the bridge between NDS and the WebDAV protocol, NDS DAV is written 
as a Netscape Server (NS) API extension to the Novonyx Web Server. NS API provides 
the mechanism for an extension to replace all or parts of the Request-Response process. 
The steps in the Request-Response process are described in more detail below. 

Figure 2 shows what an example screen 30 looks like. The screen shows a view 

20 of an Organizational Unit 32 in the my Network folder 35. The screen 30 also shows 

how easy it would be to drag and drop the object Dan on a folder, fde or printer object, to 
assign Dan new NDS rights to that object. The details of the assignment of new rights is 
detailed below. 

Now, a few examples of what can be implemented with the invention. The My 
25 Network folder 35 provides a central location on the NetWare server from which to get to 
the rest of the network resources that are used. Unlike the Network Neighborhood folder 
seen in MS Windows, this folder actually exists on the NetWare server instead of the 
workstation. This folder is also accessed via industry standard web protocols. Because of 
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these special qualities, you can access the My Network folder from any workstation that 
is attached to the public internet - anywhere in the world. 

Within the My Network folder 35, a personalized version of the following items 
are shown: mapped drive web folders 37, 38; a personal web publishing folder 39; a my 
5 directory tree web folder 40; and a my organizational unit web folder 32. 

Now referring to the mapped drive web folders 37, 38, if the network 
administrator set up the mapped network drives so that they normally visible at the client, 
those same directories will be shown as web folders within the My Network folder 35, 
This will allow the user to access his corporate applications and data remotely without the 
10 need for a Novell client on his workstation. However, the Windows and DOS 

applications that require traditional drive mappings will probably not work in this 
environment. 

When an user's login account gets created on a Novell network, the network 
administrator will normally create a home directory (user directory) for the user on the 
1 5 network. If the network administrator enabled the User Home Directories feature, the 

user's My Network folder contains a link to the user's personal web publishing directory 
39. 

For example, if the user's home directory is on \\MyServer\Data\Users\Bob, 
then the user's personal web publishing folder will be called --BOB and actually contains 
20 all the HTML files that the user publishes in the \\MyServer\Data\Users\Bob\public_html 
subdirectory. Please note that the user can control who can access his web publishing 
folders by dragging and dropping users and groups from his NDS directory web folders 
onto those folders. 

The My Directory Tree Web folder 40 allows the user to see the contents of his 
25 Novell Directory Services tree. In particular, the user can see all the users and groups that 
have been defined within his network. To view the properties of any shown object, the 
user double clicks its icon within the web folder. 

However, the network administrator will likely allow the user to only modify the 
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properties of his own user object and modify rights for his personal web pubUshing 
folders. The rights to other users, groups and web folders are usually controlled by the 
network administrator. 

The user's organizational unit web folder 32 contains users that represent all of 

5 the colleagues in the user's department as well as any groups of users that the network 
administrator may have defined. The users and groups found within this folder also 
includes the special users [Public] 42 and [Private] 43. The users and groups within this 
web folder can be used to modify the access rights on the web folders or any other areas 
in which the network administrator has given the user access control rights, 

10 Furthermore, the display of the [Public] 42 and the [Private] 43 objects facilitate 

adding or subtracting all rights. To add all rights to all users, a user would drag the object 
(he would have to have full rights to the object) and drop it on the [Public] object 42. 
Conversely, if the user wanted to take all rights for the object from the other users, he 
would drag the object and drop it on the [Private] object 43. 

1 5 However, please note that although MS Windows currently limits a user to drag 

and drop only objects onto folders and not vice versa, the present invention is not 
restricted to MS Windows or to such a limitation. On the contrary, the architecture and 
methods of the present invention does not have any restrictions regarding the dragging 
and dropping of objects or folders. 

20 In addition, the invention can also work with Microsoft's Office 2000 Start Page. 

The Office 2000 Start Page allows Office2000 users to view the web folders on a 
NetWare Server, as well as to search and discuss the documents that have been published 
there. The user can just click on Office 2000 icon to navigate to the start page that is 
installed on his NetWare server. However, the present invention would work similarly 

25 with other products like Microsoft's Office 2000 and is not meant to be limited to the 
Microsoft products. 

Figure 3 shows another screen 44 with the details of the Dan object listed in 
window 45. The window 45 allows editing of the User Identification of the Dan object, 
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as well as the other object attributes listed in context menu 44. Moreover, the text and 
fields shown in window 42 and context menu 44 can be easily modified as will be 
explained in detail below. 

In order to better understand the preferred embodiment, a few terms will now be 
5 defined. Methods are the methods specified in the http header of a request. Routines are 
the code that performs the necessary actions to handle a method request. Properties are 
the names and values from the prop and other property elements in a extensible Markup 
Language (XML) document. Attributes are the NDS equivalents to properties that are 
used in the NDS Application Programming Interface (API) calls. 

10 Now referring to Figure 4, the first step, Authorization Translation (AuthTrans) 

50, verifies any authorization information. NDS DAY does not alter this step. Then, the 
Name Translation (NameTrans) 52 translates a logical URL to a local file system path. 
NDS DAY does not alter this step either. The process then performs Path Checking 
(PathCheck) 54 which checks the local file system for validity and approved access by 

1 5 the requesting user. At this step, NDS DAY first checks to see if the requested object is 
in the file system. If the requested object is in the file system, than normal processing is 
allowed to continue and NDS DAY takes no further actions 56. 

NDS DAY next checks to see that authorization credentials (auth-user and auth- 
password in the request variables) have been submitted 58. If the authorization 

20 credentials have not been submitted, then the process returns a 401 Unauthorized error 
message 60. If the credentials are present, the process authenticates to NDS with the 
name and password in step 62. If the authorization is incorrect, the process then returns 
an error message in step 64 and stops. Otherwise, upon successful authentication, the 
process then checks for the requested object in NDS 66; if the object is not found (this 

25 could be because the user does not have rights to see this object) a 404 Not Found 
message 68 is returned and the process is stopped. If the object is found, the NDS 
context used in the authenticating process is stored in the session structure passed to NDS 
DAY from the web server. 
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The process now determines the MIME-type of the requested resource at the 
Object Typing (ObjectType) step 72. In this step, NDS DAV checks for the presence of 
the NDS context in the session structure. If the NDS context is found, the MIME type is 
set to ndsdav/nds. 

5 The Service step 74 returns the response to the chent. If the MIME type is not 

ndsdav/nds, then the request is processed as a normal WebDAV request in step 76 and 
NDS DAV takes no further actions. If the request is for NDS, NDS DAV checks for the 
method and processes it in step 78 as described in the following text. 

The PROPFIND routine checks to see which properties are requested. If specific 

1 0 properties are requested, those properties are placed in an NDS input buffer using the 

NWDSPutAttribute API. After all of the attributes are in the buffer, NWDSRead is called 
to retrieve the NDS attributes. If ALLPROPS has been specified or if no properties have 
been specified, the allAttrs parameter for the NWDSRead is set to true to return all of the 
properties of the object. On successfully reading the attributes of an object, the 

1 5 NWDSGetAttrName and NWDSGetAttrValue APIs are called to retrieve the attributes in 
step 84. These attributes are converted to XML using the XML element definitions 
defined below and put in the XML document that is returned upon competition of the 
PROPFIND routine handling. The PROPFIND routine then checks to see if the object is a 
container, and if it is, it checks to see if a non zero depth has been requested. If these are 

20 true, it checks to see if the depth is 1 ; if the depth is 1, it sets the depth to 0. The 
PROPFIND routine is recursively called for each object in the container. 

The PROPPATCH routine parses the XML document to obtain the attributes to 
set. The NWDSModifyObject step then applies the attribute changes. When a 
PROPPATCH routine is sent, the PROPPATCH routine gets the XML document and sets 

25 the attributes in an NDS input buffer, using the NWDSPutAttrNameAndValue call. If 
there is a named by property in the XML document, the property specified by the named 
by property is not put in the NDS input buffer. After all of the properties have been put in 
the input buffer, the attributes are set in NDS by calling the NWDSModifyObject API. 
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Because the name of an object in the NDS scheme is specified as one of the 
attributes, it is possible to change the name of the object with the PROPPATCH routine. 
However, NDS uses a different API to change the attributes that are used to name the 
object. Accordingly, the PROPPATCH routine handler needs to know what the Named 
5 By attribute of the object is. When the base class of the object is Organization, the Named 
By attribute is assumed to be O. When the base class is Organizational Unit, the Named 
By attribute is assumed to be OU. For all other classes, in order to change the attribute 
that is used as the Name of the object, a Named By property must be specified. If this 
property is not specified, then it is assumed that the Object Name is not being changed. If 

10 the PROPPATCH routine tries to change the property that corresponds to the NDS 

attribute that is used to Name the object and a Named By property is not specified a, 409 
Conflict is returned. 

PROPPATCH can be used to change the Password for an Object, Although the 
Password is not an NDS attribute, the PROPPATCH routine looks for an Object 

1 5 Password property in the XML doc. If this property is sent, then the process looks for 
Object Old Password. If the Object Old Password property is not found, then the old 
password is assumed to be an empty string. The PROPPATCH routine then calls the 
NDSChangeObjectPassword to change the password of the object. 

The MKCOL routine checks for an XML doc. If the document is not there, the 

20 routine assumes that the class exists and checks the class of the parent object. If the 

parent object is an Organization, Organizational Unit, or a Locality, the routine creates a 
new Organizational Unit. If the parent is a Country, or Top, the routine creates a new 
Organization. If the parent class is not an Organization, Organizational Unit, Locality, 
Country, or Top, the routine returns an error 403 Forbidden. 

25 If the XML document exists, the document is parsed and the properties are 

applied to the new object. NDS DAV then checks for an Object Class property. If the 
Object Class property does not exist, then the same rules are used as when no XML 
document is present. When the Object Class property is found, the new object is created 
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with the Object Class set according to the Object Class property. NDS objects may also 
have other mandatory attributes. If those mandatory attributes do not exist in the XML 
document, then the NWDSAddObject returns an error and NDS DAV returns a 403 
Forbidden. For objects of base class Organization it is assumed that the name of the 
5 collection should be used for the 0 attribute in NDS. For Organizational Units the 

collection name is used for the OU attribute. For all other base classes it is expected that a 
Named By property be set that specifies which attribute is used for the name of the 
collection. If the Named By property is not in the XML document, a 403 Forbidden is 
returned. 
10 Example - MKCOL 



»Request 



MKCOL /Tree/CZ HTTP 1.1 



Host: www.foo.bar 



15 



Content-Type: text/xml; cjarset="utf-8 
Content-Length: xxx 



<?xml version-"!. 0" encoding="utf-8" ?> 

<set xmlns="NDSDAV:" xmlns:DS="NDSDAV"> 



<DS :NamedBy>C</DS :NamedBy> 



20 



<prop> 



<DS:ObjectClass>Country</DS:ObjectClass> 



</prop> 



</set> 



25 



» Response 



HTTP/LI 201 Created 
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In the example above, a Country object named CZ is created in the root of the tree named 
Tree, The attribute C, which is used to name Country objects, is set to CZ. 

The DELETE routine is recursively called, based on the requested depth. The 
DELETE routine simply calls the NWDSRemoveObject API to remove each object. 
5 The GET method is not changed in the WebDAV specification. However, GET 

needs to be defined for NDS objects. When a GET method is received, NDS DAV looks 
for the object. If NDS DAV finds the object, the base class of the object is retrieved using 
the NWDSReadObjectlnfo API. The routine searches a configuration directory for an 
HTML template file that is named by the base class with an appended .HTML extension 

10 (i.e. User.HTML). If this file is found, it is parsed looking for HTML comments where 
the text in the comment starts with NDS:. When an NDS comment is found, it is replaced 
with data from the NDS object using the NDS Template File Parsing rules. The resuhing 
document is then sent as the reply for the GET method. 

If an HTML template file is not found, the attributes of the object are read using 

1 5 the NWDSRead API and returned as HTML using the Forms for NDS Attributes rules. 
The HTML format allows the object to be viewed and modified using a web browser. 

The POST method is not changed by the WebDAV specifications. For NDS 
objects, NDS DAV parses the contents of the request for NDS attributes using the Forms 
for NDS Attributes rules. 

20 The ASSIGN-TRUSTEE method is not defined by the WebDAV specification. 

When an ASSIGN-TRUSTEE method is received, NDS DAV looks for an XML 
document to determine what rights should be assigned. In the absence of an XML 
document, NDS DAV retrieves the default rights from the NDS DAV configuration. 
Browse, Add, Delete, Rename, Supervisor, Read, Write, Create, and Modify are valid 

25 XML elements for ASSIGN-TRUSTEE. However, not all rights apply to all objects. If a 
right is specified on an object that is not valid for that object, the invalid right is ignored. 
Ignoring invalid rights allows use of the default rights for both NDS objects and File 
System objects. 
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NDS 


File System 


Browse 


X 


X 


Add 


X 




Delete 


X 


X 


Rename 


X 




Supervisor 


X 


X 


Read 




X 


Write 




X 


Create 




X 


Modify 




X 



The MOVE method request will now be described. Since the ability to assign an 
object as a trustee of another object by dragging and dropping an NDS object on another 

5 object would be advantageous, the MOVE method request is handled as an ASSIGN- 
TRUSTEE method request unless an "ASSIGN-TRUSTEE: False" header is found. 
However, another implementation could have the MOVE method request be a true 
MOVE and just use the ASSIGN-TRUSTEE method request to assign trustees. When an 
"ASSIGN-TRUSTEE: False" header is found, the MOVE method request attempts to 

1 0 move the object. If the object is a container, all of the child objects are also moved to the 
container specified in the Destination: header. 

Because the MOVE method request does not defauh to a normal MOVE behavior, 
COPY can also be used to perform a MOVE. NDS DAV looks for a "PERFORM- 
MOVE: True" header. If it is found, the COPY routine is handled as a move. The COPY 

] 5 routine checks for a "Link: True" header. If it is found, an Alias is created for the object 
in the destination directory. 
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The LOCK and UNLOCK method are not used for NDS DAV if these routines 
are requested on an NDS object, a 403 Forbidden is returned. 

Because all modifications for an NDS object can be accomplished using the 
PROPPATCH method, the PUT routine returns a 403 Forbidden for existing objects. 
However, if the PUT method request is sent for an object that does not exist, a new object 
is created. The PUT routine looks for an XML document in the body of the message. The 
XML document should describe the properties for the new document using the XML 
Elements Definitions below. 

Example - PUT 

» Request 

PUT /Rock/Gentoo/Stephan HTTP/1.1 
Host: www.foo.bar 

Content-Type: text/xml; cjarset=="utf-8" 
Content-Length: xxx 

<?xml version="1.0" encoding="utf-8" ?> 

<set xmlns="NDSDAV:" xmlns:DS-"NDSDAV"> 

<DS :NamedBy>CN</DS :NamedBy> 

<prop> 

<DS : Obj ectClass>User</DS : Obj ectClass> 
</prop> 
<prop> 

<DS:Sumame> 

<DS:CaseIgnore>Burton</DS:CaseIgnore> 
</DS:Sumame> 
</prop> 

</set> 
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» Response 

HTTP/Ll 201 Created 
In the example above, a new User object named Stephan will be created in the 
Organization named Gentoo and the tree named Rock. The attribute Surname will be set 
5 to Burton. The attribute CN, which is used to name the object, will be set to Stephan. 

NDS TEMPLATE FILE PARSING 

NDS DAV uses template files to create HTML representations of NDS objects. A 

template processor replaces the contents of NDS comments with data from NDS. NDS 
10 comments are in the format: <!--NDS:function:parameters -->. The NDS comments are 
defined below. New comments can be added using the same format. 

When the current object is in the file system, the associated NDS object is the 
NDS object of the Volume where the file system object resides. 

15 DNLink 

<!- NDSiDNLink --> Outputs the distinguished name of the NDS object as a series of 
links that can be used to browse any container in the objects hierarchy. 

DN 

20 <!-- NDS:DN --> Replaced with the current NDS object's fully distinguished name, 
EscDN 

<!_]sjDS:EscDN -> Replaced by the MIME encoded fully distinguished name of the 
current NDS object. 

25 

EscPath 

<i — ^NDS:EscPath --> When the current object is in the file system, this is replaced with 
the MIME encoded path of the object. 
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<!— NDS:EscBaseClass 
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-> Replaced with the base class of the current NDS object. 



EscParentDN 

5 <! — ^NDS:EscParentDN -> Replaced with the MIME encoded name of the container that 
the current NDS object is in. 

DN 

<! — ^NDS:EscDN -> Replaced by the fully distinguished name of the current NDS 
10 object 

Path 

<! — ^NDS:EscPath --> When the current object is in the file system, this is replaced with 
the path of the object. 

15 

BaseCIass 

<! — ^NDS:EscBaseClass -> Replaced with the base class of the current NDS object. 
ParentDN 

20 <! — ^NDS :EscParentDN --> Replaced with the name of the container that the current NDS 
object is in. 

File 

<! — ^NDS:File:filename --> The file "filename" is opened and parsed. 

25 

Attribute 

<!-- NDS:Attribute:AttributeName:SyntaxPart -> Gets the "Attribute" attribute from the 
current object. If the Syntax of the attribute contains muhiple parts "Syntax Part" 
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specifies which parts will be returned. 
TreeName 

<! — ^NDS:TreeName --> Replaced with the name of the tree the current NDS Object is in. 

5 

FORMS FOR NDS ATTRIBUTES 

When processing the form data for a post, NDS DAV looks for variables with 

names of the format NDS_Attribute_AttributeName. For attribute names, all spaces are 
replaced by the "J' character. For attribute syntaxes that have multiple fields, "_FieldJ' 
10 is appended to the variable name followed by the field name. So for syntaxes with files, 
the variable name has the format NDS_Attribute_AttributeName_Field_FieldName. 

Example 

The NetWare Software Developer's Kit defines the API data structure Path_T, which is 
1 5 used for the path syntax, as: 
typedef enum 

{ 

DS_DOS, 
DS_MACINTOSH, 
20 DS_UNIX, 
DS_FTAM, 
DS_0S2 
} NAME_SPACE_TYPE; 

25 The default HTML created when no template file exists for a Home Directory attribute 
that represents the path SYS:/novonyx/suitespot/docs in the long namespace would be: 
<input type-'text" 

name="NDS_Attribute_Home_Directory_Field_NameSpaceType" 
value-"4"><br> 
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<input type="text" 

name="NDS_Attribute_Home_Directory_Field_VoliimeName" 
value="SYS"><br> 

<input type="text" name="NDS_Attribute_Home_Directory_Field_path" 
5 value- 'novonyx/suitespot/docs"><br> 

Template files can be used to create customized looks. For instance, the nameSpaceType 
could be included in a template file using the following, which would present it as a drop 
down box instead of a text box, 
10 <Script> namespace = <!- NDS:Attribute:Home Directory mameSoaceType -> 

</Script> 

<select name="NDS_Attribute_Home__Directory_Field_NameSpaceType" > 
<option value="0" &{ (if namespace == 0) {"selected"} };> DOS 
<option value- '1" &{(if namespace == 1) {"selected"} };> Mac 
15 <option value="2" &{ (if namespace == 2) {"selected"} };> UNIX 

<optionvalue="3"&{(ifnamespace==3) {"selected"} };> FTAM 
<option value="4" &{(if namespace == 4) {"selected"} };> Long 
</select> 

These features of the invention facilitate the customization of the context menu 46 and 
20 the window 45 of figure 3 . 

XML ELEMENT DEFINITIONS 

Definition of the NDSDAV: namespace 

To restrict the values allowed in a PCDATA element, the following are used 
25 where PCDATA would normally be used: 

uintS indicates that valid values are unsigned numeric values that can be 
represented in 8 bits (i.e. between 0 and 255). 

uintl6 indicates that valid values are unsigned numeric values that can be 
represented in 16 bits. 
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uint32 indicates that valid values are unsigned numeric values that can be 
represented in 32 bits. 

int32 indicates that valid values are signed numeric values that can be represented 
in 32 bits. 

5 All of the numeric values can be represented in hex if they are preceded by a Ox 

(i.e. OxFF) 

Address 

<!ELEMENT Address (#PCDATA)> 

10 

Address Hint 

<!ELEMENT AddressHint (NetAddress) > 
Address Type 

1 5 <!ELEMENT AddressType (#PCDATA) -- Valid values for PCDATA are: "IPX" | "IP" i 
"SDLC" I "TokenRing" | "OSI" | "AppleTalk" ] "Count" -> 

Amount 

<!ELEMENT Amount (uint32) > 

20 

Attribute Name 

<!ELEMENT AttributeName (#PCDATA) > 
Back Link 

25 <!ELEMENT BackLink (RemotelD, ObjectName)> 
Bit String 

<!ELEMENT BitString (uint8+) > 
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Boolean 

<! ELEMENT Boolean (#PCDATA) -- Valid values for PCDATA are "True" | "False" -- 

> 

5 

Case Exact String 

<!ELEMENT CaseExact (#PCDATA) > 

Case Ignore List 

10 <!ELEMENT CaselgnoreList (CaseIgnore+) > 

Case Ignore String 

<! ELEMENT Caselgnore (#PCDATA) > 

1 5 Class Name 

<!ELEMENT ClassName (#PCDATA) > 

Count 

<!ELEMENT Count (uint32) > 

20 

Counter 

<! ELEMENT Counter (uint32)> 

Distinguished Name 

25 <!ELEMENT DistinguishedName (#PCDATA) > 

EMail Address 

<!ELEMENT EMail Address (EmailType, Address) > 
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Email Type 

<!ELEMENT EmailType (uint32) > 

5 Event ID 

<!ELEMENT Event ID (uint32) > 

Facsimile Telephone Number 

<!ELEMENT FaxNumber (TelephoneNumber, BitString) > 

10 

Hold 

<!ELEMENT Hold (ObjectName, Amount) > 
Integer 

1 5 <!ELEMENT Integer (int32) > 
Interval 

<!ELEMENT Interval (int32) > 

20 Level 

<!ELEMENT Level (uint32) > 

Line 

<!ELEMENT Line (#PCDATA)> 

25 

Name Space 

<!ELEMENT NameSpace (#PCDATA) -- Valid values for PCDATA are: "DOS" i 
"Macintosh" | "UNIX" | "FTAM" | "Long" --> 
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Net Address 

<!ELEMENTNetAddress (AddressType, Address) 

5 Numeric String 

<! ELEMENT NumericString (#PCDATA) -- Valid values for PCDATA are the digits 
0..9 and the space character. -> 

Object ACL 

1 0 <!ELEMENT ObjectACL (ProtectedName, SubjectName, Privileges) > 
Object Name 

<!ELEMENT ObjectName (#PCDATA) > 

15 Octet List 

<!ELEMENT Octet List (OctetString+) > 

Octet String 

<!ELEMENT OctetString (uint8*) > 

20 

Path 

<!ELEMENT Path (NameSpace, Volume, PathName) > 

Path Name 

25 <!ELEMENT PathName (#PCDATA) > 

Postal Address (Syntax) 

<!ELEMENT PostalAddress (Line*) -- a maximum of six lines will be used-> 
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Printable String 

<!ELEMENT PrintableString (#PCDATA) > 
5 Privileges 

<!ELEMENT Privileges (#PCDATA*) -- Valid values for PCDATA are: "Browse" | 
"Add" I "Delete" | "Rename" | "Supervisor" ] "Read" | "Write" | "Create" | "Modify" -> 

Protected Name 

1 0 <!ELEMENT ProtectedName (#PCDATA) > 

Remote ID 

<!ELEMENT RemotelD (uint32) > 

1 5 Replica Number 

<!ELEMENT ReplicaNumber (uint32) > 

Replica Pointer 

<!ELEMENT ReplicaPointer (ServerName, ReplicaType, ReplicaNumber, Count, 
20 AddressHint) > 

Replica Type 

<!ELEMENT ReplicaType (#PCDATA) - Valid values for PCDATA are: "Master" | 
"Secondary" | "Read-Only" --> 

25 

Server Name 

<!ELEMENT ServerName (#PCDATA) > 
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Stream 

<!ELEMENT Stream (#PCDATA) > 

Subject Name 

5 <!ELEMENT SubjectName (#PCDATA) > 

Syntax ID 

<!ELEMENT SyntaxID (uint32) > 

10 Telephone Number 

<!ELEMENT TelephoneNumber (#PCDATA) > 

Time 

<!ELEMENT Time (Uint32) -seconds past Jan 1 1970 --> 

15 

Timestamp 

<!ELEMENT TimeStamp (Time, EventID) > 
Typed Name 

20 <!ELEMENT TypedName (ObjectName, Level, Interval) > 
Unknown 

<!ELEMENT UnknownSyntax (AttributeName, SyntaxID, Value) > 

25 Value 

<!ELEMENT Value (uintS*) > 
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Volume 

<!ELEMENT Volume (#PCDATA) > 

5 It is understood that several modifications, changes and substitutions are intended 

in the foregoing disclosure and in some instances some features of the invention will be 
employed without a corresponding use of other features. For example, although the 
present invention was discussed using an I/O card, it may be employed on virtually any 
electronic device. Accordingly, it is appropriate that the appended claims be construed 

10 broadly and in a manner consistent with the scope of the invention. 
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CLAIMS 

1 1 . A method for manipulating network objects by using Internet authoring, 

2 collaboration and versioning tools, the method comprising: 

3 receiving a request for a manipulation of a first network object from a requesting 

4 user; 

5 verifying a first set of authorization information; 

6 translating a logical object address to a physical file system path; 

7 checking a file system for validity and authorization for the requesting user 

8 including determining whether the first network object is a first network object; 

9 verifying a usemame and a password for the requesting user; 

1 0 returning a first error message if requesting user is unauthorized to access the first 

11 network object; 

12 determining an object type for the first network object; and 

1 3 sending a response to the requesting user. 

1 2. The method of claim 1 wherein the manipulation of the first network object 

2 includes changing a set of attributes of the first network object. 

1 3. The method of claim 1 further including verifying that the first network object is 

2 found. 

1 4. The method of claim 3 further including returning a second error message if the 

2 first network object is not found. 

1 5. The method of claim 1 further including assigning new rights to the first network 

2 object. 
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1 6. The method of claim 5 wherein the new rights for the first network object are for a 

2 second network object. 

1 7, The method of claim 5 wherein the new rights are assigned by dragging and 

2 dropping a second network object on the first network object by the use of an interactive 

3 computer screen. 

1 8. The method of claim 7 wherein the new rights are all rights for all users and 

2 assigned by dragging a public icon and dropping the public icon on the first network 

3 object. 

1 9. The method of claim 7 wherein the new rights are subtracting all rights for all 

2 users except an assigned user to the first network object and wherein the new rights are 

3 assigned by dragging a private icon and dropping the private icon on the first network 

4 object. 

1 10. The method of claim 1 further including modifying a set of attributes of the first 

2 network object by modifying a set of fields on a screen of a subset of the set of attributes. 

1 11. The method of claim 1 0 further including navigating a context menu for a 

2 plurality of screens that allow modification of the set of attributes of the first network 

3 object. 
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1 12. A computer program for manipulating network objects by using Internet 

2 authoring, collaboration and versioning tools, the computer program comprising: 

3 instructions for receiving a request for a manipulation of a first network object 

4 from a requesting user; 

5 instructions for verifying a first set of authorization information; 

6 instructions for translating a logical Uniform Resource Locator to a local file 

7 system path; 

8 instructions for checking a local file system for validity and authorization for the 

9 requesting user including determining whether the first network object is a first network 

10 object; 

1 1 instructions for verifying a username and a password for the requesting user; 

12 instructions for retuming a first error message if requesting user is unauthorized to 

1 3 access the first network obj ect; 

14 instructions for determining an object type for the first network object; and 

1 5 instructions for sending a response to the requesting user. 

1 13. The computer program of claim 12 further including instructions for verifying that 

2 the first network object is found. 

1 14. The computer program of claim 1 3 further including instructions for returning a 

2 second error message if the first network object is not found. 

1 15. The computer program of claim 1 2 wherein the request is to assign new rights to 

2 the first network object. 

1 16. The computer program of claim 1 5 wherein the new rights for the first network 

2 object are for a second network object. 
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1 1 7. The computer program of claim 1 5 wherein the new rights are assigned by 

2 dragging and dropping a second network object on the first network object by the use of 

3 interactive computer screen. 

1 18. The computer program of claim 1 7 wherein the new rights are all rights for all 

2 users and assigned by dragging a public icon and dropping the public icon on the first 

3 network object. 

1 19. The computer program of claim 17 wherein the new rights are subtracting all 

2 rights for all users except an assigned user to the first network object and wherein the new 

3 rights are assigned by dragging a private icon and dropping the private icon on the first 

4 network object. 

1 20. The computer program of claim 12 further including instructions for modifying a 

2 set of attributes of the first network object by modifying a set of fields on a screen of a 

3 subset of the set of attributes. 

1 21 . The computer program of claim 20 further including instructions for navigating a 

2 context menu for a plurality of screens that allow modification of the set of attributes of 

3 the first network object. 

1 22. The computer program of claim 1 2 wherein the manipulation of the first network 

2 object includes instructions for changing a set of attributes of the first network object. 



-30- 



Attorney Docket No. 26530.3 

1 23. A system for manipulating network objects by using Internet authoring, 

2 collaboration and versioning tools, the system comprising: 

3 a web server; 

4 a work station connected to the web server by an Internet connection; 

5 at least one network server connected to the web server; 

6 at least one storage system connected to the web server; 

7 means for receiving a request for a manipulation of a first network object from the 

8 work station; 

9 means for verifying a first set of authorization information; 

1 0 means for translating a logical Uniform Resource Locator to the storage system; 

1 1 means for checking for validity and authorization for a requesting user including 

12 determining whether the first network object is a first network object; 

13 means for verifying a usemame and a password for the requesting user; 

14 means for determining an object type for the first network object; and 

1 5 means for sending a response to the requesting user. 

1 24. The system of claim 23 further including means for verifying that the first 

2 network object is found. 

1 25. The system of claim 24 further including means for returning a second error 

2 message if the first network object is not found. 

1 26. The system of claim 23 wherein the request is to assign new rights to the first 

2 network object. 

1 27. The system of claim 26 wherein the new rights for the user are for a second 

2 network object. 
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1 28. The system of claim 26 wherein the new rights are assigned by dragging and 

2 dropping a second network object on the first network object by the use of interactive 

3 computer screen. 

1 29. The system of claim 27 wherein the new rights are all rights for all users and 

2 assigned by dragging a public icon and dropping the public icon on the first network 

3 object, 

1 30. The system of claim 27 wherein the new rights are subtracting all rights for all 

2 users except an assigned user to the first network object and wherein the new rights are 

3 assigned by dragging a private icon and dropping the private icon on the first network 

4 object. 

1 31. The system of claim 23 further including means for modifying a set of attributes 

2 of the first network object by modifying a set of fields on a screen of a subset of the set of 

3 attributes. 

1 32. The system of claim 3 1 further including means for navigating a context menu for 

2 a plurality of screens that allow modification of the set of attributes of the first network 

3 object. 

1 33. The system of claim 23 wherein the manipulation of the first network object 

2 includes means for changing a set of attributes of the first network object. 
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1 34. A method for manipulating network objects, the method comprising: 

2 receiving a request for a manipulation of a first network object from a requesting 

3 user; 

4 verifying a first set of authorization information; 

5 translating a logical object address to a physical file system path; 

6 checking a file system for validity and authorization for the requesting user 

7 including determining whether the first network object is a first network object; 

8 verifying a usemame and a password for the requesting user; 

9 returning a first error message if requesting user is unauthorized to access the first 

10 network object; 

1 1 determining an object type for the first network object 

12 sending a response to the requesting user; 

13 navigating a context menu for a plurality of screens that allow modification of the 

14 set of attributes of the first network object; and 

1 5 modifying a set of attributes of the first network object by modifying a set of 

1 6 fields on a screen of a subset of the set of attributes. 

1 35. The method of claim 3 4 wherein the request is to assign new rights to the first 

2 network object. 

1 36. The method of claim 35 wherein the new rights for the first network object are for 

2 a second network object. 

1 37. The method of claim 35 wherein the new rights are assigned by dragging and 

2 dropping a second network object on the first network object by the use of interactive 

3 computer screen. 
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1 38. The method of claim 37 wherein the new rights are all rights for all users and 

2 assigned by dragging a public icon and dropping the public icon on the first network 

3 object. 

1 39. The method of claim 37 wherein the new rights are subtracting all rights for all 

2 users except an assigned user to the first network object and wherein the new rights are 

3 assigned by dragging a private icon and dropping the private icon on the first network 

4 object. 

1 40. A computer network for a plurality of users to access a workplace, the system 

2 comprising: 

3 a plurality of network computer servers within the computer network; 

4 a plurality of network computer workstations within the computer network and 

5 connected to at least one of the plurality of network computer servers; 

6 a file system, network directory, and printing subsystem on the computer network 

7 and accessible by the plurality of users; 

8 a security system that provides an authentication process in order to allow access 

9 to the plurality of users to the file system, network directory, and printing subsystem; and 
1 0 a graphical user interface for viewing the file system, network directory and 



1 1 printing subsystem as the workplace, and providing the plurality of users the ability to 

1 2 manipulate the file system, network directory and printing subsystem and the ability to 

13 run a plurality of network applications within the file system and network directory 
] 4 portions of the subsystem, 

1 41. The computer network of claim 40 wherein the computer network is a global 

2 internet network and the file and directory subsystem is within an intranet network. 
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42. The computer network of claim 40 wherein the graphical user interface is a web 
browser. 
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A METHOD AND APPARATUS FOR EXPOSING NETWORK 
ADMINISTRATION STORED IN A DIRECTORY USING HTTPAVebDav 

PROTOCOL 

5 ABSTRACT 

A method and system to manipulate network objects by using Internet authoring, 
collaboration and versioning tools is described. The method includes: receiving a 
request for a manipulation of a first network object from a requesting user; verifying a 

1 0 first set of authorization information; translating a logical address of the first network 
object to a physical file system path; checking a local file system for validity and 
authorization for the requesting user including determining whether the first network 
object is a first network object; verifying a usemame and a password for the requesting 
user; returning a first error message if requesting user is imauthorized to access the first 

1 5 network object; determining an object type for the first network object; and sending a 
response to the requesting user. The method can also include verifying that the first 
network object is found and returning a second error message if the first network object is 
not found. The first network object can be user object and the request can be to assign 
new rights to the user object. The new rights for the user can also be for another network 

20 object. The new rights can be assigned by dragging and dropping the user object on 
another network object by the use of interactive computer screen. 
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statements were made with the knowledge that willful false statements and the like so made 
are punishable by fine or imprisonment, or both, under 18 USC 1001 and that such willful 
false statements may jeopardize the validity of the appHcation or any patent issued thereon. 



DOCKET NO.: 26530.3 



POWER OF ATTORNEY: As a named inventor, we hereby appoint the following attorneys 
and/or agents to prosecute this application and transact all business in the Patent and 
Trademark Office connected therewith. 



Jeffrey M. Becker Reg. No. 35,442 

James R. Bell Reg. No. 26,528 

Michael S. Bush Reg. No. 31,745 

Randall E. Colson Reg. No. 40,566 

Michael A. Davis, Jr. Reg. No. 35,488 

Ruben C. DeLeon Reg. No. 37,812 

Timothy Headley Reg. No. 31,765 

Rita M. Irani Reg. No. 31,028 

Warren B. Kice Reg. No. 22,732 



Michael Balconi-Lamica Reg. No. 34,291 

Todd Mattingly Reg. No. 40,298 

David L. McCombs Reg. No. 32,271 

David M. O'Dell Reg. No. 42,044 

Phillip B. Philbin Reg. No. 35,979 

Brandi W. Sarfatis Reg. No. 37,713 

David O. Simmons Reg. No. 43,124 



Send correspondence to David L. McCombs . Haynes and Boone, L.L.P., 901 Main Street, 
Suite 3100, Dallas, Texas 75202-3789 and direct all telephone calls to David L. McCombs at 
214/651-5533. 



Full Name of First Inventor: Daniel Paul Burton 

Inventor's Signature: J fV^i/y^pT^ Dated: jO /^/ ?7 

Residence: 2441 Ranch Road. Eagle Mountain. Utah 84043 

Citizenship: United States of America 

Post Office Address: 2441 Ranch Road. Eagle Mountain. Utah 84043 



FiUl Name of Second Inventor: Chris Andrew 

Inventor's Signature: /f^^ /Wf^Vy Dated: ^/ / ^ / ^ 9 

Residence: 10744 North 6510 West. Highland. Utah 84003 

Citizenship: British 

Post Office Address: 10744 North 6510 West. Highland. Utah 84003 
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